Adobe has released an emergency update for its widely used Flash Player to combat active attacks that exploit a previously unknown security bug that hackers are actively exploiting to surreptitiously install malware on end-user computers.

The vulnerability, which affects the latest versions of Flash, was being exploited in drive-by attacks on the websites of at least three nonprofit organizations, according to a blog post published Thursday by researchers from security firm FireEye. Two of the institutions—the Peter G. Peterson Institute for International Economics and the Smith Richardson Foundation—focus on matters of national security and public policy. The targets, combined with the technical signatures of the attacks themselves, have led researchers to suspect that the attackers are the same ones behind similar campaigns from 2012. The FireEye researchers wrote:

This threat actor clearly seeks out and compromises websites of organizations related to international security policy, defense topics, and other non-profit sociocultural issues. The actor either maintains persistence on these sites for extended periods of time or is able to re-compromise them periodically.

This actor also has early access to a number of zero-day exploits, including Flash and Java, and deploys a variety of malware families on compromised systems. Based on these and other observations, we conclude that this actor has the tradecraft abilities and resources to remain a credible threat in at least the mid-term.

The vulnerability, which is indexed as CVE-2014-0502 under the common vulnerabilities and exposure system, allows attackers in certain cases to execute malicious code by overwriting the virtual function table pointer of a Flash object. In a testament to the growing effectiveness of modern exploit mitigation techniques, a protection known as address space layout randomization (ASLR) prevents the exploit from working on the vast majority of machines. ASLR vastly decreases the chances that a remote-code-execution attack will succeed by loading downloaded scripts in a different memory location each time the computer is rebooted. The attackers behind the campaign discovered by FireEye found a way to bypass ASLR on computers running older software. Specifically, PCs running Windows XP, Windows 7 with the now-unsupported 1.6 version of Oracle's Java, and Windows 7 with a now out-of-date version of Office 2007 or Office 2010 don't benefit from the protection of ASLR.

Readers should remember that versions 12.0.0.44, 11.7.700.261, or earlier of Flash, regardless of the platform they run on, contain the underlying vulnerability. It's not uncommon for attackers to find new ways to exploit the same vulnerability. That means everyone should install Adobe's emergency update. ASLR, security sandboxes, and similar mitigations are highly valuable protections, but they are by no means foolproof, as the attacks demonstrate. Users should never regard these tools as a substitute for patching vulnerable software. The attacks are also a reminder of the damage that can result when running out-of-date programs from third parties.

Adobe's Flash update is the second unscheduled release for the ubiquitous program this month. Adobe has more details about it here. It comes within hours of Microsoft releasing a stop-gap fix for a vulnerability in versions 9 and 10 of its Internet Explorer browser to combat a separate zero-day campaign. Ars strongly recommends readers to update to version 11 of IE, since it contains exploit mitigations not available in earlier releases. Those who are prevented from running version 11 should install the Microsoft fix as soon as possible.

Click-to-play plugins are very easy to enable on most modern browsers, hugely reduce the effectiveness of attacks such as these, and have the additional benefit of blocking annoying auto-playing video ads.

After seeing last week's story I decided to remove flash completely from my home computer. I have been pleasantly surprised that sites have updated to work without flash, but there are still some large holdouts.

This is why I don't have flash (outside of what comes in Chrome) installed on my PC at home.

Chrome has flash, and now you depend on Google updating it, which is even worse, as to able to update when you want. I appreciate Google shipping with Flash build it and updating for users, but only if that does not mean take options away.

You can´t update Flash on your own anymore and neither can you do it with Chrome itself, you rely on them now for updates which is awful as it takes users away from options. If they would update them for users, but also give them the choice to do it manually, that would be another story but sadly all this auto update softwares take users way their own freedom so you depend on them now for everything.

The most difficult part of getting rid of Flash is that many websites insist on you having it unless you're an iPad. Some sites (I'm looking at you, Youtube!) insist it to show their ads. Because of their stubbornness, I don't see any ads on Youtube now, courtesy of Click-to-Flash which defaults the site to html5 for me.

Flash will not die until sites like Youtube kill it. Imagine all those millions of websites that have videos in their website, still use Flash because Youtube still uses it.

So if we want flash to die major websites and services should stop promoting flash and they still do, which is ironic since HTML5 flash players work just fine. Its rather strange that Google still promotes Flash via Youtube but at the same time they want the rest of us to move to HTML5.

The most difficult part of getting rid of Flash is that many websites insist on you having it unless you're an iPad. Some sites (I'm looking at you, Youtube!) insist it to show their ads. Because of their stubbornness, I don't see any ads on Youtube now, courtesy of Click-to-Flash which defaults the site to html5 for me.

Exactly what I said as well. Google still promotes Flash with Youtube, and only this website + websites that have videos in their pages from Youtube are the reason why most people still have flash.

If Google really wants to promote HTML5, they should start with their own services.

Oh crap! I better get out and... oh wait... that's right. I don't have Flash installed anymore. Oh how I do miss making sure I uncheck the box for installing unnecessary software on my windows machines. Oh wait, I don't miss that either. Die already, Flash.

Click-to-play plugins are very easy to enable on most modern browsers, hugely reduce the effectiveness of attacks such as these, and have the additional benefit of blocking annoying auto-playing video ads.

This is why I don't have flash (outside of what comes in Chrome) installed on my PC at home.

Chrome has flash, and now you depend on Google updating it, which is even worse, as to able to update when you want. I appreciate Google shipping with Flash build it and updating for users, but only if that does not mean take options away.

True. But Chrome isn't my default browser. The only time I open it up is when I want to watch a youtube video that won't play in Firefox without flash.

Click-to-play plugins are very easy to enable on most modern browsers, hugely reduce the effectiveness of attacks such as these, and have the additional benefit of blocking annoying auto-playing video ads.

IE being the major holdout here.

Seriously? And it got upvoted?

Safety > ActiveX filtering

Check it.

And that's it.

If you want to click to play (really whitelisting because IE will remember this on a per-site basis and you only need to, for example, enable flash once for youtube) click the blue circle icon with a diagonal line through it in the address bar and select turn off activex filtering.

Click-to-play plugins are very easy to enable on most modern browsers, hugely reduce the effectiveness of attacks such as these, and have the additional benefit of blocking annoying auto-playing video ads.

IE being the major holdout here.

Seriously? And it got upvoted?

Safety > ActiveX filtering

Check it.

And that's it.

If you want to click to play (really whitelisting because IE will remember this on a per-site basis and you only need to, for example, enable flash once for youtube) click the blue circle icon with a diagonal line through it in the address bar and select turn off activex filtering.

That is distinctly different from click-to-play. That is click-to-always-allow-the-plugin-for-this-domain. Click-to-play blocks every instance always until you...wait for it...click to play.

Click-to-play plugins are very easy to enable on most modern browsers, hugely reduce the effectiveness of attacks such as these, and have the additional benefit of blocking annoying auto-playing video ads.

IE being the major holdout here.

Seriously? And it got upvoted?

Safety > ActiveX filtering

Check it.

And that's it.

If you want to click to play (really whitelisting because IE will remember this on a per-site basis and you only need to, for example, enable flash once for youtube) click the blue circle icon with a diagonal line through it in the address bar and select turn off activex filtering.

That is distinctly different from click-to-play. That is click-to-always-allow-the-plugin-for-this-domain. Click-to-play blocks every instance always until you...wait for it...click to play.

Yes it is, and it is better. Allow the plugin on a few domains and forget about it. Who wants to be nagged for clicks every single time? No thanks.

Click-to-play plugins are very easy to enable on most modern browsers, hugely reduce the effectiveness of attacks such as these, and have the additional benefit of blocking annoying auto-playing video ads.

IE being the major holdout here.

Seriously? And it got upvoted?

Safety > ActiveX filtering

Check it.

And that's it.

If you want to click to play (really whitelisting because IE will remember this on a per-site basis and you only need to, for example, enable flash once for youtube) click the blue circle icon with a diagonal line through it in the address bar and select turn off activex filtering.

That is distinctly different from click-to-play. That is click-to-always-allow-the-plugin-for-this-domain. Click-to-play blocks every instance always until you...wait for it...click to play.

Yes it is, and it is better. Allow the plugin on a few domains and forget about it. Who wants to be nagged for clicks every single time? No thanks.

Plenty of people do...otherwise, click-to-play would not be default in Firefox* and an option in Chrome. You also have the option to always permit for the current domain...so why is having more choice worse?

*Edit to add that it is default for all but a select few popular plugins (Flash being among them). You have to enable click-to-play individually for the chosen few.

Newsflash! Adobe releasing patch for patch to fix patch for security patch that was exploited before it was patched. In other news, Adobe thinks security is finally their top priority for their products. After the user information breech, the countless Flash player exploits and the inability to make any progress in reducing these problems. Adobe has enacted a constant live update system that uses a lot of PC resources but will constantly update Flash Player every 10 seconds to make sure its safe. Thank you for your support.

Perhaps. But it leads to a real problem of "Update? AGAIN? Come on" and users ignoring the prompt because they see no benefit, and the update forces them to close the browser when they want to keep browsing -- and the restart isn't even necessary for some! Firefox, for instance, reloads all plugins if you visit about:plugins, no restart needed.

The complaint of "fix it right the first time" is a valid one for this reason, and surely there are others.

They are not alone. Oracle does the same thing when you download JVM. They have how many billions? Do they really need $0.25 from whomever they cut that deal with, for every download? What good is it anyway, when users don't really want the software? God damn we need to stop allowing smarmy salesmen running the world.

^^ Which for some reason is bloody hard to find on their site. Thanks for the link.

As useful as that link is, you are not supposed to share it. To use it, you have to apply for a flash player distribution licence. The offline installers are for people to put into installation packages and for sysadmins to distribute on their intranets. As pathetic as that sounds, Sharing that link violates their license agreement.

Adobe simply don’t have the resources to support a platform like Flash especially with its waning popularity. Their employee to product ratio is absurdly low and they’re beset with competing/duplicate projects that lack focus.

Fortunately for them their extortion based pricing scheme means they can be as undisciplined as they like for a long, long while … I mean QuarkXpress still manages to muddle along a decade after they were relevant.

The most difficult part of getting rid of Flash is that many websites insist on you having it unless you're an iPad. Some sites (I'm looking at you, Youtube!) insist it to show their ads. Because of their stubbornness, I don't see any ads on Youtube now, courtesy of Click-to-Flash which defaults the site to html5 for me.

Exactly what I said as well. Google still promotes Flash with Youtube, and only this website + websites that have videos in their pages from Youtube are the reason why most people still have flash.

If Google really wants to promote HTML5, they should start with their own services.

Well, they started but the HTML5 version is not going to develop itself in an instant

I have been using it for the past year or so, and a good chunk of videos I wanted were available.

Chrome has flash, and now you depend on Google updating it, which is even worse, as to able to update when you want. I appreciate Google shipping with Flash build it and updating for users, but only if that does not mean take options away.

You can´t update Flash on your own anymore and neither can you do it with Chrome itself, you rely on them now for updates which is awful as it takes users away from options. If they would update them for users, but also give them the choice to do it manually, that would be another story but sadly all this auto update softwares take users way their own freedom so you depend on them now for everything.

I'd invite both you, and anyone who upvoted you, to examine the facts a bit more clearly, because I think you may be misrepresenting things.